Personalizing account hijacking may mean more work, but the ROI is better and attackers have more exploit opportunities.
A vast majority of research focuses on automated and/or botnet exploits, which makes sense when considering the number of victims affected. However, a research team from Google and the University of California, San Diego chose a different path, looking at "manual account hacking." Exploits that are rare — less than nine incidents for every one million people who use Google daily. "However, the damage manual hijackers incur is far more severe and distressing to users and can result in significant financial loss," the researchers mention in their paper Handcrafted fraud and extortion: Manual account hijacking in the wild. "These needle-in-a-haystack attacks are very challenging and represent an ongoing threat to internet users."
Types of account hijacking
To start, there are two types of account hijacks:
● Automated account hijacking: Attacks that try to compromise user accounts via botnets or spam networks. This attack uses automated tools, attempting to maximize the attacker's ROI by scamming a small amount of money from thousands of victims.
● Manual account hijacking: The bad guys hijack accounts looking for ways to steal money, ransom applications or data, leverage contact information for future attacks, or use sensitive personal data against the victim.
To explain the difference between automated exploits and manual attacks, the paper mentions, "Manual hijackers spend significant non-automated effort on profiling victims and maximizing the profit — or damage — they can extract from a single credential."
The graph to the right depicts the relationship between number of accounts hijacked and the "depth of exploitation." It seems we can be thankful the more prevalent automated exploits are less exploitative.
Steal email credentials and profile the victim
The first step is stealing a victim's account login information. The paper mentions the most sought-after account is email followed by online financial accounts. For this discussion, the focus will be limited to email-account hijacking.
Once attackers have the login information, they decide quickly whether the account is worth further effort. The paper explains, "If the brief account value exploration yields promising results, the hijackers spend an additional 15 to 20 minutes per account sifting through emails, and finding ways to monetize the account."
The hijackers are hoping to find emails holding financial or personal data they can use on the current victim or improve their chances of exploiting the victim's contacts by making the scam email supposedly from the victim seem more realistic.
The profiling portion of the attack was of special interest to the researchers. They mention, "This systematic assessment phase and the fact that certain accounts are not exploited suggest that manual hijackers are 'professional' and follow a well-established playbook designed to maximize profits."
The researchers offer more evidence that well-organized groups are behind manual account hijacks:
● The individuals seemed to work according to a tight daily schedule. They started around the same time every day, and had a synchronized, one-hour lunch break. They were inactive over the weekends.
● All individuals followed the same daily time table, defining when to process the gathered password lists, and how to divide time between ongoing scams and new victims.
● They were operating from different IPs, on different victims, and in parallel with each other, but the tools and utilities they used were the same. They also shared certain resources such as phone numbers.
More validation for experts who contend online-crime syndicates are run with business-like precision.
Exploiting the victim's contacts
Most individuals, at one time or another, have received an email where someone is in trouble and needs money. Almost at once the scam is dismissed because the email — an automated account hijacking attempt — makes little sense. However, manual account hijacks are different. Being non-automated, attackers can inject material to personalizing the scam email.
The research team mentions there is a distinct pattern to most of the scam emails. They all tend to have:
● A story with credible details to limit the victim suspicion.
● Words or phrases that evoke sympathy and aim to persuade.
● An appearance of limited financial risk for the plea recipient as financial requests are requests for a loan with concrete promises of speedy repayment.
● Language that discourages the plea recipient from trying to verify the story by contacting the victim through another means of communication, often through claims that the victim's phone was stolen.
● An untraceable, fast, and hard-to-revoke yet safe-looking money transfer mechanism.
The research paper then describes what email providers can do to prevent manual account hacking. Sadly, there are precious few for-sure user defenses other than second-factor authentication — if it is available use it. Two-factor authentication will thwart the bad guys.